Logon Tickets and SAPGUI HTML Control – A look under the hood

I’ve been working in SAP support for over ten years and have worked the majority of this time in supporting security related topics. However it isn’t true that old dogs can’t be taught new tricks ! Recently I was faced with some SSO (Single Sign On issues) in relation to calling transaction SOLMAN_CENTER (and also lets throw in SOAMANAGER as well for good measure).

If you’ve used this you will know that when the transaction is called this will open either a HTML session in SAPGUI using SAPGUI HTML Control. However in these cases the user was presented with a request to enter user and password rather than being seemlessly brought through to the transaction via SSO (user should not need to enter a password).

In this particular case the user expected that a html session in windows sapgui would be opened however of course this was not the case and the user was presented with a logon screen. This mechanism works using a special logon ticket described in note 612670 – SSO for local BSP calls using SAP GUI HTML Control. In such a case the user calling the transaction should be a dialog user as other user types cannot be issued with the required logon ticket. This is normally the quick solution where the issue is faced.

However I wanted to check if the required logon ticket was being issued to the user and this is where the new trick (kudos to my colleagues in development support for this tip) came in.

Using report SAPHTML_SSO_DEMO the issuing of this logon ticket can be tested in the AS ABAP server. To actually trace the process you will require a http trace tool – on this case I used Fiddler which can be found on the web. Simply enable the fiddler tool and then run report SAPHTML_SSO_DEMO to generate the logon ticket issuing process.

The screenshot below details the report ran successfully and the http traffic is at the same time recorded – here we can see the BSPs called by the report

Taking a deeper look at the http trafic we can see the MYSAPSSO2 cookie is recorded as being issued. This confirms that the Logon ticket has been issued by the system